OAuth consent phishing abuses legitimate login flows. Victims authenticate successfully and then approve a malicious application that receives long-term API access. MFA does not help — the user completed MFA correctly.
Why this works so well
- The login screen is real
- No password is stolen
- Security alerts look legitimate
Once consent is granted, attackers can read mail, access files, and persist even after password resets.
Detection signals to monitor
- New OAuth apps with broad scopes
- Consent from non-admin users
- Mailbox access without login events
How to unwind an OAuth compromise
- Revoke app consent
- Invalidate refresh tokens
- Audit mailbox access logs